Update to fix Windows bug -- at your risk

September 19, 2002|By MIKE HIMOWITZ

When Microsoft issues a major bug fix for Windows, the smart-money players usually wait a while before installing it. They assume that the bug fix, known in the trade as a "Service Pack," has its own share of bugs, and they're willing to let the eager beavers find out if it contains any disasters waiting to happen.

Unfortunately, Microsoft's first major Service Pack for Windows XP, released Sept. 9, is more urgent than usual. Along with dozens of patches for published security flaws - most of of which are obscure or were discovered only in lab tests - Service Pack 1 plugs a previously undisclosed hole in Windows that's potentially devastating and easy for hackers to exploit.

The vulnerability in the Windows XP Help and Support Center can be used by a malicious Web site (or even an e-mail sent in HTML format), to delete files from the user's system. In a demonstration video posted on the TechTV.com Web site, a booby-trapped Web page deleted a user's entire Windows directory. A real-world attack like that one would render a computer useless.

In the past, Microsoft has offered small, downloadable "patches" for these problems. But not this time. In order to get this critical fix, you'll have to install the entire SP1 upgrade. That means a gargantuan download from Microsoft's Web site - between 30 and 120 megabytes, depending on how often you've installed individual patches as they were released.

It's a bit like pulling into a service station with a flat and learning that the only way to have it fixed is to get four new tires, a tune-up and transmission overhaul. The download can take hours over a dialup connection, and some ISP's automatically cut off users before a transfer that big can finish.

The alternative is to pay Microsoft $10 plus shipping to get Service Pack 1 on a CD. That's not an outrageous charge, but it will leave your PC vulnerable till the disk arrives.

Worse yet, a small but significant number of users have reported problems with the SP1 installation - including machines that won't start properly when it's finished. So you're left with a nasty risk-benefit calculation: Which is more likely to do harm, the security flaw or SP1? Neither is very likely to hurt your PC, but if lightning does strike, you're in big trouble.

Security experts have known about the XP Help Center bug since June. But they kept mum because they didn't want to tip off hackers while Microsoft was working on a fix.

Now, however, the cat is out of the bag and Web security authorities are already noticing Web pages that try to exploit the hole. They're also upset because Microsoft hasn't released a specific patch for the problem outside of the massive SP1 download. They accuse the company of burying information about the flaw - a charge Microsoft acknowledges but categorically denies in its official statement about the security update. Since Microsoft rarely takes notice of its critics in these documents, it's obviously concerned.

As usual, this isn't a case of villainy. Microsoft has good reasons to want users to download and install SP1. No operating system is perfect, and Microsoft is using SP1 to make minor enhancements and address all the problems (security and otherwise) that it has fixed since XP was released last October.

Microsoft is particularly edgy about SP1 because it includes changes in Windows that the company agreed to as part of its antitrust settlement with the Justice Department. For example with SP1 installed, PC makers (and end users) can hide icons that entice them to use MSN Messenger, Media Player and other non-critical programs that compete with services and software from third parties.

From a user's standpoint, it's also good practice keep your operating system up to date. Service packs contain many invisible changes to forestall problems that might not occur until you install new application software or hardware.

In any case, Microsoft has fixed things so that you'll eventually need SP1 if you want to upgrade to later versions of Windows. The question is whether to install SP1 now or later.

If you want to fix the XP Help Center security flaw without installing SP1 right away, you can get a quick patch called XPdite from Gibson Research at http://grc.com/xpdite/xpdite.htm.

Steve Gibson, the company's founder, is a legendary programming wizard and one of the Internet's most respected (and feared) security gurus. XPedite takes only seconds to download and replaces a vulnerable file on your hard disk with a safe dummy.

For the record, Microsoft cautions against third-party patches, saying they don't always fix related problems. And Gibson himself urges users to install the full Service Pack 1 when they get the opportunity.

I installed SP1 without incident on the computer I use for testing hardware and software. But others weren't so lucky.